{{- if include "cluster_autoscaler_enabled" . }}
  {{- if hasKey $.Values.nodeManager.internal "cloudProvider" }}
    {{- if include "cluster_autoscaler_nodes" . }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cluster-autoscaler
  namespace: d8-cloud-instance-manager
  {{- include "helm_lib_module_labels" (list . (dict "app" "cluster-autoscaler")) | nindent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cluster-autoscaler
  namespace: d8-cloud-instance-manager
  {{- include "helm_lib_module_labels" (list . (dict "app" "cluster-autoscaler")) | nindent 2 }}
rules:
- apiGroups:
  - machine.sapcloud.io
  resources:
  - machinedeployments
  - machines
  - machinesets
  - awsmachineclasses
  - gcpmachineclasses
  - openstackmachineclasses
  - vspheremachineclasses
  - yandexmachineclasses
  - azuremachineclasses
  verbs:
  - get
  - list
  - watch
# cluster api
- apiGroups:
  - infrastructure.cluster.x-k8s.io
  verbs:
  - get
  - list
  - watch
  resources:
  - vcdmachinetemplates
- apiGroups:
  - cluster.x-k8s.io
  resources:
  - machinedeployments
  - machines
  - machinesets
  - machinedeployments/scale
  - machinepools
  verbs:
  - get
  - list
  - watch
# leader election
- apiGroups: [""]
  resources: ["endpoints"]
  verbs: ["create"]
- apiGroups: [""]
  resources: ["endpoints"]
  resourceNames: ["cluster-autoscaler"]
  verbs: ["get", "update", "patch", "delete"]
- apiGroups: ["coordination.k8s.io"]
  resources: ["leases"]
  verbs: ["create"]
- apiGroups: ["coordination.k8s.io"]
  resources: ["leases"]
  resourceNames: ["cluster-autoscaler"]
  verbs: ["get", "update", "patch", "delete"]
- apiGroups:
  - machine.sapcloud.io
  resources:
  - machinedeployments
  - machines
  - machinedeployments/scale
  verbs:
  - patch
  - update
# cluster api
- apiGroups:
  - cluster.x-k8s.io
  resources:
  - machinedeployments
  - machines
  verbs:
  - patch
  - update
# expander cm
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  resourceNames:
  - cluster-autoscaler-priority-expander
  verbs:
  - delete
  - get
  - update
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cluster-autoscaler
  namespace: d8-cloud-instance-manager
  {{- include "helm_lib_module_labels" (list . (dict "app" "cluster-autoscaler")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cluster-autoscaler
subjects:
- kind: ServiceAccount
  name: cluster-autoscaler
  namespace: d8-cloud-instance-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: d8:node-manager:cluster-autoscaler
  {{- include "helm_lib_module_labels" (list . (dict "app" "cluster-autoscaler")) | nindent 2 }}
rules:
# accessing & modifying cluster state (nodes & pods)
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["pods/eviction"]
  verbs: ["create"]
# read-only access to cluster state
- apiGroups: [""]
  resources: ["services", "replicationcontrollers", "persistentvolumes", "persistentvolumeclaims", "namespaces"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps", "extensions"]
  resources: ["daemonsets", "replicasets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["statefulsets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["policy"]
  resources: ["poddisruptionbudgets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses", "csinodes", "csistoragecapacities", "csidrivers"]
  verbs: ["get", "list", "watch"]
# misc access
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "update", "patch"]
# cluster api
- apiGroups:
  - infrastructure.cluster.x-k8s.io
  verbs:
  - get
  - list
  - watch
  resources:
  - vcdmachinetemplates
- apiGroups: ["cluster.x-k8s.io"]
  resources:
  - machinedeployments
  - machines
  - machinesets
  - machinedeployments/scale
  - machinepools
  verbs: ["get", "list", "watch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: d8:node-manager:cluster-autoscaler
  {{- include "helm_lib_module_labels" (list . (dict "app" "cluster-autoscaler")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: d8:node-manager:cluster-autoscaler
subjects:
- kind: ServiceAccount
  name: cluster-autoscaler
  namespace: d8-cloud-instance-manager
    {{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: d8:node-manager:cluster-autoscaler:rbac-proxy
  {{- include "helm_lib_module_labels" (list . (dict "app" "cluster-autoscaler")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: d8:rbac-proxy
subjects:
- kind: ServiceAccount
  name: cluster-autoscaler
  namespace: d8-cloud-instance-manager
  {{- end }}
{{- end }}
